net/ssl/ssl_cipher_suite_names.cc - Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings.

Unified Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Respond to comments; simplify a lot of the strings; take out IsObsoleteTLSCipherSuite(). Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/ssl/ssl_cipher_suite_names.cc

diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc

index f6b54606181f743741b26d9a6bb9156990b890a1..c46de2f3a2519715c99dd5fbcb9ffa7b49f4f5a3 100644

--- a/net/ssl/ssl_cipher_suite_names.cc

+++ b/net/ssl/ssl_cipher_suite_names.cc

@@ -295,6 +295,49 @@ bool GetCipherProperties(uint16_t cipher_suite,

return true;

}

+int ObsoleteSSLStatusForProtocol(int ssl_version) {

+ int obsolete_ssl = net::OBSOLETE_SSL_NONE;

+ if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2)

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;

+ return obsolete_ssl;

+int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {

+ int obsolete_ssl = net::OBSOLETE_SSL_NONE;

+ int key_exchange, cipher, mac;

+ if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {

+ // Cannot determine/unknown cipher suite. Err on the side of caution.

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;

+ return obsolete_ssl;

+ }

+ // Only allow ECDHE key exchanges.

+ switch (key_exchange) {

+ case 14: // ECDHE_ECDSA

+ case 16: // ECDHE_RSA

+ break;

+ default:

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;

+ }

+ switch (cipher) {

+ case 13: // AES_128_GCM

+ case 14: // AES_256_GCM

+ case 17: // CHACHA20_POLY1305

+ break;

+ default:

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;

+ }

+ // Only AEADs allowed.

+ if (mac != kAEADMACValue)

+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;

+ return obsolete_ssl;

} // namespace

namespace net {

@@ -361,34 +404,16 @@ bool ParseSSLCipherString(const std::string& cipher_string,

return false;

}

-bool IsSecureTLSCipherSuite(uint16_t cipher_suite) {

- int key_exchange, cipher, mac;

- if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))

- return false;

+int ObsoleteSSLStatus(int connection_status) {

+ int obsolete_ssl = OBSOLETE_SSL_NONE;

- // Only allow ECDHE key exchanges.

- switch (key_exchange) {

- case 14: // ECDHE_ECDSA

- case 16: // ECDHE_RSA

- break;

- default:

- return false;

- }

+ int ssl_version = SSLConnectionStatusToVersion(connection_status);

+ obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);

- switch (cipher) {

- case 13: // AES_128_GCM

- case 14: // AES_256_GCM

- case 17: // CHACHA20_POLY1305

- break;

- default:

- return false;

- }

- // Only AEADs allowed.

- if (mac != kAEADMACValue)

- return false;

+ uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);

+ obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);

- return true;

+ return obsolete_ssl;

}

bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {

« chrome/app/generated_resources.grd ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »